'\" t .\" Title: ntlm_auth .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 09/23/2020 .\" Manual: User Commands .\" Source: Samba 4.12.7 .\" Language: English .\" .TH "NTLM_AUTH" "1" "09/23/2020" "Samba 4\&.12\&.7" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" ntlm_auth \- tool to allow external access to Winbind\*(Aqs NTLM authentication function .SH "SYNOPSIS" .HP \w'\ 'u ntlm_auth .SH "DESCRIPTION" .PP This tool is part of the \fBsamba\fR(7) suite\&. .PP ntlm_auth is a helper utility that authenticates users using NT/LM authentication\&. It returns 0 if the users is authenticated successfully and 1 if access was denied\&. ntlm_auth uses winbind to access the user and authentication data for a domain\&. This utility is only intended to be used by other programs (currently Squid and mod_ntlm_winbind) .SH "OPERATIONAL REQUIREMENTS" .PP The \fBwinbindd\fR(8) daemon must be operational for many of these commands to function\&. .PP Some of these commands also require access to the directory winbindd_privileged in $LOCKDIR\&. This should be done either by running this command as root or providing group access to the winbindd_privileged directory\&. For security reasons, this directory should not be world\-accessable\&. .SH "OPTIONS" .PP \-\-helper\-protocol=PROTO .RS 4 Operate as a stdio\-based helper\&. Valid helper protocols are: .PP squid\-2\&.4\-basic .RS 4 Server\-side helper for use with Squid 2\&.4\*(Aqs basic (plaintext) authentication\&. .RE .PP squid\-2\&.5\-basic .RS 4 Server\-side helper for use with Squid 2\&.5\*(Aqs basic (plaintext) authentication\&. .RE .PP squid\-2\&.5\-ntlmssp .RS 4 Server\-side helper for use with Squid 2\&.5\*(Aqs NTLMSSP authentication\&. .sp Requires access to the directory winbindd_privileged in $LOCKDIR\&. The protocol used is described here: http://devel\&.squid\-cache\&.org/ntlm/squid_helper_protocol\&.html\&. This protocol has been extended to allow the NTLMSSP Negotiate packet to be included as an argument to the YR command\&. (Thus avoiding loss of information in the protocol exchange)\&. .RE .PP ntlmssp\-client\-1 .RS 4 Client\-side helper for use with arbitrary external programs that may wish to use Samba\*(Aqs NTLMSSP authentication knowledge\&. .sp This helper is a client, and as such may be run by any user\&. The protocol used is effectively the reverse of the previous protocol\&. A YR command (without any arguments) starts the authentication exchange\&. .RE .PP gss\-spnego .RS 4 Server\-side helper that implements GSS\-SPNEGO\&. This uses a protocol that is almost the same as squid\-2\&.5\-ntlmssp, but has some subtle differences that are undocumented outside the source at this stage\&. .sp Requires access to the directory winbindd_privileged in $LOCKDIR\&. .RE .PP gss\-spnego\-client .RS 4 Client\-side helper that implements GSS\-SPNEGO\&. This also uses a protocol similar to the above helpers, but is currently undocumented\&. .RE .PP ntlm\-server\-1 .RS 4 Server\-side helper protocol, intended for use by a RADIUS server or the \*(Aqwinbind\*(Aq plugin for pppd, for the provision of MSCHAP and MSCHAPv2 authentication\&. .sp This protocol consists of lines in the form: Parameter: value and Parameter:: Base64\-encode value\&. The presence of a single period \&. indicates that one side has finished supplying data to the other\&. (Which in turn could cause the helper to authenticate the user)\&. .sp Currently implemented parameters from the external program to the helper are: .PP Username .RS 4 The username, expected to be in Samba\*(Aqs \m[blue]\fBunix charset\fR\m[]\&. .PP Examples: .RS 4 Username: bob .sp Username:: Ym9i .RE .RE .PP NT\-Domain .RS 4 The user\*(Aqs domain, expected to be in Samba\*(Aqs \m[blue]\fBunix charset\fR\m[]\&. .PP Examples: .RS 4 NT\-Domain: WORKGROUP .sp NT\-Domain:: V09SS0dST1VQ .RE .RE .PP Full\-Username .RS 4 The fully qualified username, expected to be in Samba\*(Aqs \m[blue]\fBunix charset\fR\m[] and qualified with the \m[blue]\fBwinbind separator\fR\m[]\&. .PP Examples: .RS 4 Full\-Username: WORKGROUP\ebob .sp Full\-Username:: V09SS0dST1VQYm9i .RE .RE .PP LANMAN\-Challenge .RS 4 The 8 byte LANMAN Challenge value, generated randomly by the server, or (in cases such as MSCHAPv2) generated in some way by both the server and the client\&. .PP Examples: .RS 4 LANMAN\-Challenge: 0102030405060708 .RE .RE .PP LANMAN\-Response .RS 4 The 24 byte LANMAN Response value, calculated from the user\*(Aqs password and the supplied LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&. .PP Examples: .RS 4 LANMAN\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718 .RE .RE .PP NT\-Response .RS 4 The >= 24 byte NT Response calculated from the user\*(Aqs password and the supplied LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&. .PP Examples: .RS 4 NT\-Response: 0102030405060708090A0B0C0D0E0F10111213141516171 .RE .RE .PP Password .RS 4 The user\*(Aqs password\&. This would be provided by a network client, if the helper is being used in a legacy situation that exposes plaintext passwords in this way\&. .PP Examples: .RS 4 Password: samba2 .sp Password:: c2FtYmEy .RE .RE .PP Request\-User\-Session\-Key .RS 4 Upon successful authentication, return the user session key associated with the login\&. .PP Examples: .RS 4 Request\-User\-Session\-Key: Yes .RE .RE .PP Request\-LanMan\-Session\-Key .RS 4 Upon successful authentication, return the LANMAN session key associated with the login\&. .PP Examples: .RS 4 Request\-LanMan\-Session\-Key: Yes .RE .RE .RE .sp .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br Implementers should take care to base64 encode any data (such as usernames/passwords) that may contain malicious user data, such as a newline\&. They may also need to decode strings from the helper, which likewise may have been base64 encoded\&. .sp .5v .RE .RE .PP \-\-username=USERNAME .RS 4 Specify username of user to authenticate .RE .PP \-\-domain=DOMAIN .RS 4 Specify domain of user to authenticate .RE .PP \-\-workstation=WORKSTATION .RS 4 Specify the workstation the user authenticated from .RE .PP \-\-challenge=STRING .RS 4 NTLM challenge (in HEXADECIMAL) .RE .PP \-\-lm\-response=RESPONSE .RS 4 LM Response to the challenge (in HEXADECIMAL) .RE .PP \-\-nt\-response=RESPONSE .RS 4 NT or NTLMv2 Response to the challenge (in HEXADECIMAL) .RE .PP \-\-password=PASSWORD .RS 4 User\*(Aqs plaintext password .sp If not specified on the command line, this is prompted for when required\&. .sp For the NTLMSSP based server roles, this parameter specifies the expected password, allowing testing without winbindd operational\&. .RE .PP \-\-request\-lm\-key .RS 4 Retrieve LM session key .RE .PP \-\-request\-nt\-key .RS 4 Request NT key .RE .PP \-\-diagnostics .RS 4 Perform Diagnostics on the authentication chain\&. Uses the password from \-\-password or prompts for one\&. .RE .PP \-\-require\-membership\-of={SID|Name} .RS 4 Require that a user be a member of specified group (either name or SID) for authentication to succeed\&. .RE .PP \-\-pam\-winbind\-conf=FILENAME .RS 4 Define the path to the pam_winbind\&.conf file\&. .RE .PP \-\-target\-hostname=HOSTNAME .RS 4 Define the target hostname\&. .RE .PP \-\-target\-service=SERVICE .RS 4 Define the target service\&. .RE .PP \-\-use\-cached\-creds .RS 4 Whether to use credentials cached by winbindd\&. .RE .PP \-\-allow\-mschapv2 .RS 4 Explicitly allow MSCHAPv2\&. .RE .PP \-\-offline\-logon .RS 4 Allow offline logons for plain text auth\&. .RE .PP \-\-configfile= .RS 4 The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See smb\&.conf for more information\&. The default configuration file name is determined at compile time\&. .RE .PP \-V|\-\-version .RS 4 Prints the program version number\&. .RE .PP \-?|\-\-help .RS 4 Print a summary of command line options\&. .RE .PP \-\-usage .RS 4 Display brief usage message\&. .RE .SH "EXAMPLE SETUP" .PP To setup ntlm_auth for use by squid 2\&.5, with both basic and NTLMSSP authentication, the following should be placed in the squid\&.conf file\&. .sp .if n \{\ .RS 4 .\} .nf auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic auth_param basic children 5 auth_param basic realm Squid proxy\-caching web server auth_param basic credentialsttl 2 hours .fi .if n \{\ .RE .\} .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br .PP This example assumes that ntlm_auth has been installed into your path, and that the group permissions on winbindd_privileged are as described above\&. .sp .5v .RE .PP To setup ntlm_auth for use by squid 2\&.5 with group limitation in addition to the above example, the following should be added to the squid\&.conf file\&. .sp .if n \{\ .RS 4 .\} .nf auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq .fi .if n \{\ .RE .\} .SH "TROUBLESHOOTING" .PP If you\*(Aqre experiencing problems with authenticating Internet Explorer running under MS Windows 9X or Millennium Edition against ntlm_auth\*(Aqs NTLMSSP authentication helper (\-\-helper\-protocol=squid\-2\&.5\-ntlmssp), then please read the Microsoft Knowledge Base article #239869 and follow instructions described there\&. .SH "VERSION" .PP This man page is part of version 4\&.12\&.7 of the Samba suite\&. .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. .PP The ntlm_auth manpage was written by Jelmer Vernooij and Andrew Bartlett\&.